Commit 090da094 authored by William A. Rowe Jr's avatar William A. Rowe Jr
Browse files 

  core: strip C-L from any request with a T-E header
  resolves external origin CAN-2005-2088 issues, does not
  address internal origin C-L/T-E discrepancies within proxy_http

Security: CVE CAN-2005-2088
Submitted by: Joe Orton
Reviewed by:  Jeff Trawick, Will Rowe


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@219061 13f79535-47bb-0310-9956-ffa450edef68
parent a49fc688

CHANGES

+5 −0
Original line number Diff line number Diff line 
Changes with Apache 2.0.55













  *) SECURITY: CAN-2005-2088













     core: If a request contains both Transfer-Encoding and Content-Length













     headers, remove the Content-Length, mitigating some HTTP Request 













     Splitting/Spoofing attacks.  [Paul Querna, Joe Orton]



























  *) proxy HTTP: If a response contains both Transfer-Encoding and a 















     Content-Length, remove the Content-Length and don't reuse the















     connection, mitigating some HTTP Response Splitting attacks.

































STATUS



+1
−4






























Original line number
Diff line number
Diff line








@@ -111,10 +111,7 @@ RELEASE SHOWSTOPPERS:





























    * Various fixes to T-E and C-L processing from trunk





























      + core: strip C-L from any request with a T-E header













          http://people.apache.org/~jorton/ap_tevscl.diff













          (CVE CAN-2005-2088)













        +1: jorton, trawick













































PATCHES ACCEPTED TO BACKPORT FROM TRUNK:















  [ please append new backports at the end of this list not the top. ]

































server/protocol.c



+9
−0






























Original line number
Diff line number
Diff line








@@ -885,6 +885,15 @@ request_rec *ap_read_request(conn_rec *conn)













            apr_brigade_destroy(tmp_bb);















            return r;















        }



























        if (apr_table_get(r->headers_in, "Transfer-Encoding")













            && apr_table_get(r->headers_in, "Content-Length")) {













            /* 2616 section 4.4, point 3: "if both Transfer-Encoding













             * and Content-Length are received, the latter MUST be













             * ignored"; so unset it here to prevent any confusion













             * later. */













            apr_table_unset(r->headers_in, "Content-Length");













        }















    }















    else {















        if (r->header_only) {